Published

Security monitoring of Debian alerts is less than practical

I was looking for a program (command-line) that would allow me to check if a Debian system
was up to date against all the offical security annoucements (DSA). Something like the program glsa-check which is available for Gentoo systems.

I just found two, none of them being really useful:

forgotten_name: It works, but the bad point is that the inner working is to test the upgrade for ALL packages, which is quite slow…

tiger: They cheated a little, as they made a “static” file used to compare to a filesystem.

So I decided to make my own. Alas, the people responsible for Debian security
don’t seem to give any easy way to get the DSA in a stable/correct way.

Here are the different possibilities, and why they’re hard/impossible to use:

There’s a “search engine” that is supposed to allow you to search for CVE entries, but it doesn’t work (has it worked at one time?) and now you only get a message “Debian Search disabled”.

The contents are just a title, a link, a two words description and the issued date

There is the security-announce mailing list. Not really practical.

To correct the problem of the 15 or less entries in the distributed RDF file, I took instead the “year” page which gives exactly the same thing but in HTML. Some regexp, and we get the same result as the RDFs, but with the whole list of DSAs (but still not enough information).

Next, to get the detailed data, that is, the affected packages and the corrected version numbers (the most important things) we need to download the corresponding DSA page. For example, for the DSA 1174, you would get the content of the page http://www.debian.org/security/2006/dsa-1174 .

Here begins the fun. That page doesn’t have a static structure at all! Many inconsistencies are making the parsing of the page unreliable.
For example, let’s just start with the DSA number. For example, for the DSA 1174, you find that on the details page, it’s 1174-1.

Next, you would think that with the use of templates, that page would have some kind of fixed format. Que nenni! The text is not always the same. For example, the text ‘has been fixed in’ isn’t always formatted the same way.

About the affected packages, you have a paragraph named ‘Affected Packages’, which is inconsistent with the really affected packages (never more that one package), which can be found later in the page in ‘Fixed in’.

Redhat is submitting its alerts to OVAL, which uses a really nice format and also gives an interpreter for the language. I saw just one or two messages on the OVAL mailing list about debian :-(